Active Directory Password Changes using GlobalProtect

AD policies and passwords

There are often situations where Active Directory (AD) policies require users to change passwords, for example, the first time a user logs in with a temporary password, when a user’s password expires, or when a user forgets a password. Unfortunately, because enterprises typically do not expose their Active Directory infrastructure over the internet, remote users may not have the access they need to update their AD passwords in these situations.

Enabling password change for remote users

GlobalProtect 3.1 and earlier versions do not natively provide support to change or update a user’s AD password. This document explains how you can use alternate methods and enable remote users to change their Active Directory passwords over a GlobalProtect tunnel.

Workarounds using GlobalProtect VPN tunnel

GlobalProtect 3.1 and earlier versions do not natively provide support to change or update a user’s AD password. However, you can configure alternate authentication methods besides Active Directory that will enable remote users to establish a GlobalProtect VPN tunnel. Once the tunnel has been established and users can reach the enterprise Active Directory, they can change their password even when working remotely.

Using one of these options, you can prevent remote users from being locked out when they forget their password or when their password expire.

A remote user may try to change or update their password at 2 different times:

At the time of logging in to the Windows system

After logging in to the Windows system

Enabling remote users to change password at Windows Login

Pre-logon is one of the Connect Methods supported by GlobalProtect. Pre-logon enables GlobalProtect to establish a VPN tunnel using a machine certificate on the user’s endpoint (computer, laptop, or notebook). This connection method establishes a pre-logon tunnel immediately after the system boots up and before the user logs in. If the enterprise AD is accessible over this pre-logon tunnel, remote users can log in to the domain with a temporary password or use the Change Password option that's natively available on the Windows login screen to update their passwords.

This option is particularly useful if a remote user forgets the Active Directory credentials and is unable to log in even to the Windows system. Without the pre-logon tunnel, even if the administrator resets the user's password, the remote user cannot use the new password to log in to the domain and subsequently update the password.

Because of the changes Microsoft has made to the Windows login and the credential provider framework, the end user experience to change their AD password remotely at the time of Windows login is different in Windows 7 and Windows 8 / Windows 10.

Changing AD password on Windows 7:

On Windows 7, GlobalProtect credential provider wraps the native Windows credential provider and providesthe end user with native Windows login experience. So user can login as they normally do and any passwordpolicy that's enforced by AD gets applied and user is notified about the password requirements as usual.

Changing AD password on Windows 8 and 10:

However on Windows 8 and Windows 10, ability to change password is not available if users selectGlobalProtect as the sign-in option. Users have to set Windows as the default sign-in option before using a temporary AD password and subsequently change their AD password while logging in remotely.

GlobalProtect Single Sign On (SSO) would fail after the user sets Windows as the default sign-in option. The user must log out from Windows, then choose GlobalProtect as the sign-in option while signing in to Windows to get GlobalProtect SSO to work again.

Enabling remote users to change password after logging in to Windows

If the remote user remembers the AD credentials but the password has expired, the user would still be able to login to the Windows system using cached credentials. However authentication to the portal or gateway would fail because the AD password has expired. In this scenario you could use the GlobalProtect authentication override feature (introduced in PAN OS 7.1 and GlobalProtect 3.0). This feature enables GlobalProtect portalsand GlobalProtect gateways to override the authentication profile requirements and authenticate users with acookie instead. To use this option, you must do the following:

Configure the GlobalProtect portal to generate a cookie and accept the cookie for authentication.

Configure at least one GlobalProtect gateway to accept the cookie for authentication.

Set the lifetime of the cookie to as long as you would want the user to be able to login to this gateway even after the user's password has expired.

With this configuration, even if the password has expired, a remote user will still be able to get connected to this gateway using the cookie as long as it is still valid. After the tunnel is established, remote users can reach the enterprise Active Directory and change their passwords by pressing Ctrl + Alt + Delete and using the change password option.

This is great if you are using global protect however if you are using clientless vpn and iPads you are pretty much out of luck. The clientless vpn simply give you "invalid username or password" if your password is expired. It should allow you to enter a new one similar to the old Juniper SSL VPN solution. How do I know this? Because I am trying to replace a SA appliance right now with PAN Clientless VPN and the only thing that kills it is the users are unable to change their passwords.

I have opened a ticket with support and they have confirmed this. I could potentially user certs on the iPads but then I am giving access to my network to a device simply because it has a cert with user login required which I am not sure is secure enough for me. This information is current as of 8.0.3